Words have meaning. Cybersecurity and IT professionals routinely abuse the terms “policy” and “standard” as if they are synonymous. The same holds true for compliance terms since these terms tend to get thrown in the same bucket even though there are significant differences that should be kept in mind.

Why Should You Care?

Beyond just using terminology properly, understanding which of the three types of compliance is crucial in managing both cybersecurity and privacy risk within an organization. The difference between non-compliance can be as stark as (1) going to jail, (2) getting fined, (3) getting sued, (4) losing your contract and (5) an unpleasant combination of the previous options.

Understanding the “hierarchy of pain” with compliance leads to well-informed risk decisions that influence technology purchases, staffing resources and management involvement. That is why it serves both cybersecurity and IT professionals well to understand the compliance landscape for their benefit, since you can present issues of non-compliance in a compelling business context to get the resources you need to do your job.

In the context of this article, I’m going to cover the most common types of compliance requirements: statutory, regulatory and contractual.

Statutory Cybersecurity & Privacy Requirements

Statutory obligations are required by law and refer to current laws that were passed by a state or federal government. These laws are generally static and rarely change unless a new law is passed that updates it, such as the HITECH Act, which provided updates to the two-decades-old HIPAA.

From a cybersecurity and privacy perspective, statutory compliance requirements include:

Regulatory Cybersecurity & Privacy Requirements

Regulatory obligations are required by law, but they are different from statutory requirements in that these requirements refer to rules issued by a regulating body that is appointed by a state or federal government. These are legal requirements through proxy, where the regulating body is the source of the requirement. It is important to keep in mind that regulatory requirements tend to change more often than statutory requirements.

From a cybersecurity and privacy perspective, regulatory compliance examples include:

Contractual Cybersecurity & Privacy Requirements

Contractual obligations are required by legal contract between private parties. This may be as simple as a cybersecurity or privacy addendum in a vendor contract that calls out unique requirements. It also includes broader requirements from an industry association that membership brings certain obligations.

From a cybersecurity and privacy perspective, common contractual compliance requirements include:

About the Author: Beverly Cornelius is a partner at ComplianceForge. ComplianceForge is a specialty cybersecurity firm that focuses on governance, risk, compliance and privacy-related documentation. Their unique solutions help companies document their cybersecurity governance programs to comply with specialized requirements, such as NIST 800-171, FAR, and EU GDPR.

Editor’s Note:The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.